Rules in an access control policy are numbered, starting at 1.
The system matches traffic to rules in top-down order by ascending rule number.
With the exception of Monitor rules, the first rule that traffic matches is the
rule that handles that traffic.
Proper access control rule order reduces the resources required
to process network traffic, and prevents rule preemption. Although the rules
you create are unique to every organization and deployment, there are a few
general guidelines to follow when ordering rules that can optimize performance
while still addressing your needs.
Order Rules from
Most to Least Critical
First, you must order rules to suit your organization's needs.
Place priority rules that must apply to all traffic near the top of the policy.
For example, if you want to inspect traffic from a single user for intrusions
(using an Allow rule), but trust all other users in the department (using a
Trust rule), place two access control rules in that order.
Order Rules from
Specific to General
You can improve performance by placing specific rules earlier,
that is, rules that narrowly define the traffic they handle. This is also
important because rules with broad conditions can match many different types of
traffic, and can preempt later, more specific rules.
Consider a scenario where you want to block most social
networking sites, but allow access to certain others. For example, you may want
your graphic designers to be able to access Creative Commons Flickr and
deviantART content, but not access other sites such as Facebook or Google+. You
should order your rules as follows:
- Rule 1: Allow
Flickr, deviantART for the “Design” LDAP user group
- Rule 2: Block
social networking
If you reverse the rules:
- Rule 1: Block
social networking
- Rule 2: Allow
Flickr, deviantART for the “Design” LDAP user group
the first rule blocks all social networking traffic, including
Flickr and deviantART. Because no traffic will ever match the second rule, your
designers cannot access the content you wanted to make available.
Avoid Rule
Preemption
The conditions of an access control rule may preempt a
subsequent rule from matching traffic. For example:
- Rule 1: allow
Admin users
- Rule 2: block
Admin users
The second rule above will never block traffic because the first
rule will have already allowed the traffic.
Any type of rule condition can preempt a subsequent rule. For
example, the VLAN range in the first rule below includes the VLAN in the second
rule, so the first rule preempts the second rule:
- Rule 1: allow
VLAN 22-33
- Rule 2: block
VLAN 27
In the following example, Rule 1 matches any VLAN because no
VLANs are configured, so Rule 1 preempts Rule 2, which attempts to match VLAN
2:
- Rule 1: allow
Source Network 10.4.0.0/16
- Rule 2: allow
Source Network 10.4.0.0/16, VLAN 2
A rule also preempts an identical subsequent rule where all
configured conditions are the same. For example:
- Rule 1: allow
VLAN 1 URL www.example.com
- Rule 2: allow
VLAN 1 URL www.example.com
A subsequent rule would not be preempted if any condition is
different. For example:
- Rule 1: allow
VLAN 1 URL www.example.com
- Rule 2: allow
VLAN 2 URL www.example.com
Place Rules That
Do Not Invoke Deep Inspection Before Those That Do
Because discovery, intrusion, file, and malware inspection
require processing resources, placing rules that do not inspect traffic (Trust,
Block) before rules that do (Allow, Interactive Block) can improve performance.
This is because Trust and Block rules can divert traffic that the system might
otherwise have inspected. All other factors being equal, that is, given a set
of rules where none is more critical and preemption is not an issue, consider
placing them in the following order:
-
Monitor rules that log matching connections, but take no other
action on traffic
-
Trust and Block rules that handle traffic without further
inspection
-
Allow and Interactive Block rules that do not inspect traffic
further
-
Allow and Interactive Block rules that optionally inspect
traffic for malware, intrusions, or both
Place Rules That
Perform Application and URL Filtering Later